IPD - System Center Configuration Manager 2007



-40767014097000Infrastructure Planning and DesignMicrosoft? System Center Configuration Manager 2007 SP1 with R2Version 1.0Published: October 2008For the latest information, please see technet/SolutionAcceleratorsCopyright ? 2008 Microsoft Corporation. This documentation is licensed to you under the Creative Commons Attribution License. To view a copy of this license, visit or send a letter to Creative Commons, 543 Howard Street, 5th Floor, San Francisco, California, 94105, USA. When using this documentation, provide the following attribution: Infrastructure Planning and Design is provided with permission from Microsoft Corporation. This documentation is provided to you for informational purposes only, and is provided to you entirely "AS IS". Your use of the documentation cannot be understood as substituting for customized service and information that might be developed by Microsoft Corporation for a particular user based upon that user’s particular environment. To the extent permitted by law, MICROSOFT MAKES NO WARRANTY OF ANY KIND, DISCLAIMS ALL EXPRESS, IMPLIED AND STATUTORY WARRANTIES, AND ASSUMES NO LIABILITY TO YOU FOR ANY DAMAGES OF ANY TYPE IN CONNECTION WITH THESE MATERIALS OR ANY INTELLECTUAL PROPERTY IN THEM. Microsoft may have patents, patent applications, trademarks, or other intellectual property rights covering subject matter within this documentation. Except as provided in a separate agreement from Microsoft, your use of this document does not give you any license to these patents, trademarks or other intellectual rmation in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places and events depicted herein are fictitious. Microsoft, Active Directory, SQL Server, and Windows Server are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.You have no obligation to give Microsoft any suggestions, comments or other feedback (“Feedback”) relating to the documentation. However, if you do provide any Feedback to Microsoft then you provide to Microsoft, without charge, the right to use, share and commercialize your Feedback in any way and for any purpose. You also give to third parties, without charge, any patent rights needed for their products, technologies and services to use or interface with any specific parts of a Microsoft software or service that includes the Feedback. You will not give Feedback that?is subject to a license that requires Microsoft to license its software or documentation to third parties because we include your Feedback in them.Contents TOC \o "1-1" \h \z \u The Planning and Design Series Approach PAGEREF _Toc213037610 \h 1Introduction to the Microsoft System Center Configuration Manager 2007 Guide PAGEREF _Toc213037611 \h 3Configuration Manager in Microsoft Infrastructure Optimization PAGEREF _Toc213037612 \h 5Configuration Manager Design Process PAGEREF _Toc213037613 \h 6Step 1: Define the Project Scope PAGEREF _Toc213037614 \h 8Step 2: Determine Which Roles Will Be Deployed PAGEREF _Toc213037615 \h 13Step 3: Determine the Number of Sites Required PAGEREF _Toc213037616 \h 17Step 4: Design the Sites PAGEREF _Toc213037617 \h 19Step 5: Determine the Number of Hierarchies Required PAGEREF _Toc213037618 \h 29Step 6: Design Each Hierarchy PAGEREF _Toc213037619 \h 30Conclusion PAGEREF _Toc213037620 \h 31Appendix A: Client Population Job Aid PAGEREF _Toc213037621 \h 32Appendix B: Number of Configuration Manager Sites and Hierarchies Requirements Job Aid PAGEREF _Toc213037622 \h 33Acknowledgments PAGEREF _Toc213037623 \h 34The Planning and Design Series ApproachThis guide is one in a series of planning and design guides that clarify and streamline the planning and design process for Microsoft? infrastructure technologies.Each guide in the series addresses a unique infrastructure technology or scenario. These guides include the following topics:Defining the technical decision flow (flow chart) through the planning process.Describing the decisions to be made and the commonly available options to consider in making the decisions.Relating the decisions and options to the organization in terms of cost, complexity, and other characteristics.Framing the decision in terms of additional questions to the organization to ensure a comprehensive understanding of the appropriate business landscape.The guides in this series are intended to complement and augment the product documentation.Document ApproachThis guide is designed to provide a consistent structure for addressing the decisions and activities that are most critical to the successful implementation of the Microsoft System Center Configuration Manager (ConfigMgr) 2007 SP1 with R2 infrastructure. Each decision activity is subdivided into four elements:Background on the decision or activity, including context setting and general considerations.Typical options or tasks involved with performing the activity. A reference section that evaluates the tasks in terms of cost, complexity, and manageability.Questions for the organization that may have a significant impact on decisions to be made.The following table lists the full range of characteristics discussed in the evaluation sections. Only those characteristics relevant to a particular option or task are included in each section.Table SEQ Table \* ARABIC 1. Architectural CharacteristicsCharacteristicDescriptionComplexityThe complexity of this option relative to other options.CostThe initial setup cost and sustained cost of this option. Fault ToleranceHow the decision supports the resiliency of the infrastructure. This will ultimately affect the availability of the system. PerformanceHow the option will affect the performance of the infrastructure. ScalabilityThe impact the option will have on the scalability of the infrastructure. SecurityWhether the option will have a positive or negative impact on overall infrastructure security. Each of the design options is compared against the above characteristics and is subjectively rated to provide a relative weighting of the option against the characteristic. The options are not explicitly rated against each other as there are too many unknowns about the organization drivers to accurately compare them.The ratings are relative and take two forms:Cost and complexity are rated as high, medium, or low.The remaining characteristics are rated on the scale listed in the following table.Table SEQ Table \* ARABIC 2. Impact on CharacteristicSymbolDefinition↑Positive effect on the characteristic.→No effect on the characteristic, or there is no comparison basis.↓Negative effect on the characteristic.The characteristics are presented in either two-column or three-column tables. The two-column table is used when the characteristic is applicable to all options or when there are no options available—for example, when performing a task.The three-column table is used to present an option, the description, and the effect—in that order—for the characteristic.Who Should Use This DocumentThe content in this guide assumes that the reader is familiar with Configuration Manager concepts and is planning an implementation of Configuration Manager.This document is written for use by information technology (IT) specialists, generalists, consultants, value-added resellers (VARs), or anyone who needs to design a Configuration Manager implementation.The reader can use this document:Before the design process begins, to understand the critical design decisions that need to be made.During the design process, to ensure that decision makers stay aware of the overall parameters set by both IT and the business.After the design process has been completed, to validate that all critical design areas have been addressed.Introduction to the Microsoft System Center Configuration Manager 2007 GuideThis guide leads the reader through the process of planning a Configuration Manager infrastructure. The guide addresses the following fundamental decisions and tasks:Identifying which Configuration Manager features will be needed.Designing the components, layout, security, and connectivity of the Configuration Manager infrastructure.Business objectives should be prioritized at the start of the project so that they are clearly understood and agreed on by IT and business managers.Following this guide will result in a design that is sized, configured, and appropriately placed to deliver the stated business benefits, while considering the user experience, security, manageability, performance, capacity, and fault tolerance of the system.The guide addresses the scenarios most likely to be encountered by someone designing a Configuration Manager infrastructure. Customers should consider having their architecture reviewed by Microsoft Customer Service and Support prior to implementation as that organization is best able to comment on the supportability of a particular design.Figure 1 illustrates the relationship between the components that can work together to deliver a configuration management solution with Configuration Manager.Figure SEQ Figure \* ARABIC 1. Configuration Manager architectureThe components can be designed in many different ways. Figure 1 shows the components in one implementation for illustrative purposes only.A Configuration Manager instance can include three types of sites: Central site. There is one central site, which is the top of the site hierarchy. If there is only one site in the hierarchy, that site is both a central site and a primary site. This site requires a site server and a site database.Primary sites. These report up to either the central site or another primary site; there can be an unlimited number of tiers of primary sites. Each primary site requires a site server and a site database.Secondary sites. Each secondary site reports up to one primary site. A secondary site requires a site server, but not a database.AssumptionsTo limit the scope of material in this guide, the following assumptions have been made: The design being created is for Configuration Manager 2007 SP1 with R2.Active Directory? directory service is already designed. For assistance in designing Active Directory, see the Infrastructure Planning and Design Guide Windows Server 2008 Active Directory Domain Services at ipd.Software prerequisites for the relevant features are met.FeedbackPlease direct questions and comments about this guide to satfdbk@.Configuration Manager in Microsoft Infrastructure OptimizationThe Infrastructure Optimization (IO) Model groups IT processes and technologies across a range of organizational maturity. (For more information, see .) The model was developed by industry analysts, the Massachusetts Institute of Technology (MIT) Center for Information Systems Research (CISR), and Microsoft’s own experiences with its enterprise customers. A key goal for Microsoft in creating the IO Model was to develop a simple way to use a maturity framework that is flexible and that can easily be applied as the benchmark for technical capability and business value. IO is structured around three information technology models: Core Infrastructure Optimization, Application Platform Optimization, and Business Productivity Infrastructure Optimization. According to the Core IO Model, Configuration Manager can move an organization from a basic to a dynamic level of maturity. At a standardized level, the environment distributes software packages using manual processes. A rationalized level includes fully automatic software updates. A dynamic level of maturity requires asset management that includes automated compliance. This guide will assist you in planning and designing the infrastructure for a Configuration Manager implementation.Figure SEQ Figure \* ARABIC 2. Mapping Configuration Manager technology into the Core IO ModelInfrastructure Architecture and Business ArchitectureFor additional information about business architecture tools and models, please contact a Microsoft representative or watch the video about this topic, available at Manager Design ProcessThis guide addresses the following decisions and activities that must occur in planning the design for Configuration Manager. The six steps that follow represent the most critical design elements in a well-planned Configuration Manager design:Step 1: Define the Project ScopeStep 2: Determine Which Roles Will Be DeployedStep 3: Determine the Number of Sites Required Step 4: Design the SitesStep 5: Determine the Number of Hierarchies RequiredStep 6: Design Each HierarchyDecision FlowFigure 3 provides a graphic overview of the steps involved in designing a Configuration Manager infrastructure.Figure SEQ Figure \* ARABIC 3. The Configuration Manager infrastructure decision flowApplicable ScenariosThis guide addresses the planning and design decisions involved in creating a successful Configuration Manager infrastructure and is written to address the needs of the following groups:Organizations with no configuration management solution that want to use Configuration anizations that presently use another configuration management solution and are planning to move to Configuration anizations with multi-forest environments where Configuration Manager will be employed to manage systems that span Active Directory forest anizations that have distributed environments with systems separated by wide area network (WAN) anizations with mobile devices, such as smartphones, that operate beyond firewalls but must be managed anizations upgrading from Systems Management Server (SMS) 2003 to Configuration Manager.Out of ScopeThis guide does not address the following:Multi-tenancy. Configuration Manager can be delivered as a hosted service for shared use by more than one organization.System Center Essentials. System Center Essentials is a separate product that includes both software update and operations management functions. It is specifically designed for midsize businesses (up to 500 PCs and 30 servers). Configuration Pack development. The standard Configuration Packs that are provided for use with Desired Configuration Management on Microsoft server applications, such as Exchange Server, can be extended. New Configuration Packs can also be created for other applications. In-place upgrade. If an organization is planning an in-place upgrade, the architectural choices will likely be significantly constrained by limitations of the existing system and its specific implementation. This guide does not attempt to address these permutations. Migration. If an organization is planning to install Configuration Manager as a new installation alongside an existing system and then switch over, then this guide considers that as a new installation. This guide, however, does not address the migration from the legacy system to Configuration Manager.Step 1: Define the Project ScopeIn Step 1, the project scope will be defined in order to align the goals of the project with the business motivation. The appropriate parts of the organization will be identified for inclusion in the project. Then one or more Configuration Manager features will be selected to meet the business goals. Configuration Manager is a powerful product with a rich feature set, and so it’s very important to determine which of its features to use. The specific target machines that will become Configuration Manager clients will be identified based on the project scope and the selected features. Finally, the organization’s service level expectations and future growth plans will be documented to assist in the planning process. This information is used in Step 2 to determine which roles are needed.Task 1: Determine If the Project Will Encompass the Entire Enterprise Before beginning to plan and design a Configuration Manager infrastructure, an organization needs to determine which parts of its environment to include in the design. Configuration Manager can be deployed across the entire enterprise, to specific hub locations (a regionalized approach), or to individual satellite offices (a decentralized approach).Deployment across the enterprise, including all corporate data centers, delivers standardization and the associated economies of scale over time. Deployment across the enterprise can maximize the return on investment, but it takes time for that return to be realized, and the risk will be increased because of the number of systems involved. Configuration Manager can also be deployed to one or more hub locations where there are concentrations of users, computers, and/or network connectivity. This provides a pilot environment to prove the process and benefits before deploying on a wider scale. Deploying to hub locations delivers standardization across a region and some economies of scale, but upfront costs are relatively high. A deployment to satellite locations reduces the upfront costs and risk of the project because fewer systems will be involved, and it provides a pilot environment. Deployment to satellite locations is achieved at the risk of creating non-standard configurations in the remote locations; this may be difficult to support because of lack of specialized staff. The return on investment will also be lower. Record the scope of the project as enterprise, hub, or satellite in Table A-1 in Appendix A: “Client Population Job Aid.” If it is determined that the scope should be limited to hub or satellite deployment, also record in Table A-1 which hubs or satellite locations will be included. Validating with the BusinessTo ensure that there is a complete understanding of how the planned infrastructure will affect the business, ask business stakeholders the following questions when deciding on which part of the infrastructure to implement Configuration Manager:What is the primary reason for implementing Configuration Manager? For example, the business goal may be to reduce deployment time for new applications.What is the expected timeline for moving to Configuration Manager? In many cases, organizations start with a limited deployment to gain expertise with the technology and to test various configurations.What are the expectations for growth or contraction? Are there significant planned changes in the size or usage patterns of applications or locations?Task 2: Determine Which Configuration Manager Features This Project Will AddressThis task will be used to first determine the business motivation for implementing Configuration Manager, and then to identify which product features will be used to deliver the functionality that the business requires. Use the Configuration Manager feature descriptions table below and put a check in the Select column for each feature needed. For example, if the business goal is to automate software installation, check the boxes for Operating System Distribution, Software Distribution, and Software Updates. Then add the client locations for each required feature, based on the output of Task 1.Table SEQ Table \* ARABIC 3. Configuration Manager Feature SelectionBusiness GoalFeatureDescriptionSelectLocationAutomate software installationOperating System DistributionInstalls a configured operating system, even on systems that have no operating systems (bare metal).Software DistributionInstalls and configures software programs. Application VirtualizationStreams applications that have been sequenced by Microsoft Application Virtualization (App-V).Software UpdatesScans servers and workstations for software updates and deploys those updates.Asset inventoryHardware InventoryCollects hardware information from business servers and client systems, such as available disk space, processor type, and operating system.Software InventoryCollects software information, such as versions.Asset IntelligenceRecognizes Microsoft and third-party software “signatures” by checking and verifying information in a database—for example, checking executable filenames.Standardize configurations and complianceNetwork Access ProtectionProvides enforcement of software updates on clients before they can access network resources.Desired Configuration ManagementDefines configuration standards and policies, and audits standards compliance throughout the enterprise against those defined configurations. Software MeteringCollects and reports on software that is in use so that this can be compared against licenses to ensure software license compliance.Manage outside the enterpriseInternet-Based Client ManagementEnables management of clients that are beyond the organization’s firewall boundary—for example, on the Internet.Mobile Device Management Mobile devices, such as smartphones and Pocket PCs, can run a capabilities subset, such as inventory and software distribution (cannot be managed by remote control or receive operating system deployments like desktop clients).Manage machines off hoursWake on LANCan power on a system, even when it’s switched off, which is useful for performing software distribution or software updates during off hours. Out of Band ManagementCan manage systems when they are turned off, in sleep mode, in hibernation mode, or otherwise unresponsive. The managed computer must have the Intel V-Pro chip installed.Take the Help Desk to the userRemote ControlRemotely administer client workstations. Useful for Help Desk personnel needing to troubleshoot individual user issues.The infrastructure can be designed for more roles than will be initially implemented, so plan with the future in mind. First, conduct the design process for the complete desired feature set, and then repeat the design process for each feature. Once that is done, decide how to implement an infrastructure subset to provide the first-priority features. Do this with a design that can grow to deliver the final and complete set of required features. Plan to implement each desired feature one at a time to keep the project as easily manageable as possible. This will require performing the following steps in the guide for each feature, as appropriate, and potentially redesigning the hierarchies and sites in each iteration.Task 3: Define the Client Population to Be ManagedNow that the part of the organization to be included has been selected, the next task is to define the machines (both business clients and business servers) for which Configuration Manager functions will be deployed. This, in turn, will be used to determine the number of computers to which the Configuration Manager client will be deployed, as well as the Configuration Manager sites’ size and the server infrastructures in them.Assess the client population. Refer to to determine which clients can be supported, then use Table A-2 in Appendix A to record the following client population information:Where are the client locations? How many clients are in each location? This is used to determine site server locations and server sizing and to design the site boundaries in Step 5.What are the client device types? Different Configuration Manager features are relevant to the different client types. For example, Remote Control cannot be used with mobile phones.Are there security boundaries in the client population? If different clients are subject to different security restrictions, they may need to be placed in sites or hierarchies that are administered separately.How are the clients connected? Are they connected via LAN, WAN, dial-up, and/or VPN? How busy are those network links? Will clients be always connected, sometimes connected, or never connected? Obtain a network infrastructure diagram that shows client locations. This will be used to determine the number of sites required in Step 3 and to determine which site system roles to deploy in Step 4. Will clients move between locations? This helps determine if site capacity needs to be planned in more than one location for roaming clients. This will be used in Step 4 to determine the site design.Task 4: Determine the Organization’s Service ExpectationsDetermine the service expectations of business stakeholders for Configuration Manager. For example, what’s the acceptable time window if critical updates need to be deployed? What are the service windows within which deployments and updates can take place? Validate whether the expectations are achievable; if they aren’t achievable, engage with the stakeholders to ensure they understand what can be achieved. Record the agreed-upon service expectations, if any, in Table A-3 in Appendix A so that they can be used to design the server infrastructure in Step 4 and the hierarchies in Step 6.Validating with the BusinessAsk business stakeholders the following questions to understand any other factors that may affect the Configuration Manager design:Are any acquisitions or divestitures planned in the environment in which Configuration Manager will be implemented? These could affect the size of the Configuration Manager client population and, therefore, the infrastructure sizing.Will any license agreements expire in the future for existing configuration management products? A requirement to replace them could increase the project’s scope and cost.Step Summary In Step 1, the business motivation and the project scope were determined and a decision was reached on which Configuration Manager features to implement in order to deliver the required functionality. To assist in the planning process, information was collected on the current infrastructure and future plans for growth. Finally, future environment changes that could affect infrastructure sizing were determined.The output of Step 1 is:A table of selected features in Task 1. This information will be used in Step 2 to identify which server roles are required for the project.A table in Appendix A of deployment scope, client locations, and service expectations.Additional ReadingConfiguration Manager library: of Configuration Manager 2007: Compliance Management, a Solution Accelerator 2: Determine Which Roles Will Be Deployed The feature selections that were made in Step 1 will be the basis in Step 2 for selecting the site roles for each location. A Configuration Manager deployment includes one or more sites, and each site includes a number of roles to deliver specific functions. Establishing which site roles are required and where they are located determines site design and sizing, network sizing, and if the Configuration Manager client will be deployed.At the end of this step, the required roles will have been selected and documented. The site roles will be used to design the site systems infrastructure in Step 4.This step will be repeated for each business requirement included in the design.Task 1: Select the Required Roles Limit the design of the optional and function-specific roles to those necessary to deliver the business requirements determined in Step 1. Refer to the functions and locations that were selected in Step 1. In the table below, write in the locations where each function is required, then read across to select the required roles. The selection of optional roles will be covered in Step 4: “Design the Sites.”Note: The role descriptions are listed in Table 5: “Configuration Manager Site Roles with Descriptions.”This information will be used in Step 4 to determine site design and sizing.Table SEQ Table \* ARABIC 4. Features vs. Configuration Manager Site System RolesConfiguration Manager Site System RolesRequiredOptionalFeature SpecificFeatureLocations Selected in Step 1SMS ProviderMP/PMPSLPFSPRPRSPSUP/WSUSDP/PDP/ BDPAISPSHVOoBSPPXESMPClient Agents and FeaturesOperating System DistributionXXXO*O*Software DistributionXXXApplication VirtualizationXXSoftware UpdatesXXXXHardware InventoryXXSoftware InventoryXXAsset IntelligenceXXXNetwork Access ProtectionXXXDesired Configuration ManagementXXSoftware MeteringXXInternet-Based Client ManagementXXMobile Device ManagementXXWake On LANXOut of Band ManagementXXRemote ControlXO* = OptionalConsult the table below for the site role descriptions.Table SEQ Table \* ARABIC 5. Configuration Manager Site Roles with DescriptionsSite RoleDescriptionSMS ProviderThe interface between the Configuration Manager console and the site database. Management point (MP)The site system role that serves as the primary point of contact between Configuration Manager clients and the Configuration Manager site server.Proxy management point (PMP)A management point residing in a secondary site that proxies most MP data between clients within that site and the primary site where they are assigned.Server locator point (SLP)A site system role that locates management points for Configuration Manager clients.Fallback status point (FSP)A site system role that gathers state messages from clients that cannot install properly, cannot assign to a Configuration Manager site, or cannot communicate securely with their assigned management point.Reporting point (RP)A site system role hosts the Report Viewer component for Web-based reporting functionality.Reporting Services point (RSP)A site system role assigned to a computer running SQL Server? Reporting Services. It provides tools and resources that enable advanced report generation from the Configuration Manager console.Software update point (SUP)A site system role that is used to integrate with Windows Server? Update Services (WSUS).Distribution point (DP)A site system role that stores package source files for deployment to clients.Protected distribution point (PDP)A Configuration Manager distribution point that has boundaries configured to prevent clients outside the boundaries from retrieving packages.Branch distribution point (BDP)A Configuration Manager site system that stores package source files and is designed to be located in a distributed location with limited network bandwidth or a limited number of clients.Asset Intelligence synchronization point (AISP)A site role that is used to connect to System Center Online to manage Asset Intelligence catalog information updates.System Health Validator point (SHV)Used with Network Access Protection to provide remediation. Out of band service point (OoBSP)A site system role that discovers, provisions, and manages desktop computers that have management controllers (Intel Active Management Technology (AMT)-based computers).Site RoleDescriptionPXE service point (PXE)A site system role that has been configured to respond to and initiate operating system deployments from computers whose network adapter is configured to allow PXE boot requests.State migration point (SMP)A site system role that stores user state data when a new system is built for that user.Step Summary In this step, the required roles were selected. Selection was based on the product features that were chosen in Step 1. The output of Step 2 is:The site roles were identified for the chosen features for each location. This information will be used in Step 4 to determine site design and sizing.Additional ReadingUnderstanding Configuration Manager Sites: Configuration Manager Features: 3: Determine the Number of Sites RequiredNow that the required roles have been identified, the number of sites required to host these roles will be determined in Step 3. Task 1: Determine the Number of Sites Start with one site, and then add more sites as required by any of the following:Scale. A site can include a maximum of 100,000 clients. Refer to the number of clients that were determined to be within the scope of the project, and if that number exceeds this value, additional sites will need to be planned.Privacy concerns. Details of files on the client that are exposed to the administrator are the same for all clients site-wide. If some clients require a higher level of privacy than others, a separate site may need to be created for them. Internet-connected clients. In this case, a separate site may be placed in the perimeter network (also known as DMZ) so that ports do not have to be opened into the secure zone for client-to-site connections. For a list of the ports that must be open for each of the site connections and for site-to-site connections, see Directory forests. All the server roles within a site must be within the same Active Directory forest, with the following exceptions:System Health Validator pointServer locator point PXE service pointInternet-based client management, which supports the following site systems installed in a separate forest to the site server:Management pointDistribution pointSoftware update pointFallback status pointIf a server role must be implemented on a server that is in a different forest from the site server, it will be necessary to design it in a different site. Note???Clients can be outside the forest boundary or in another forest. Network location. Clients that are in locations separated from the site by a slow link could require a separate site that is local to them in order to protect the network from overload. A link between sites can be bandwidth-throttled, but links within a site (between site systems) cannot be bandwidth-throttled. When a large distribution occurs on an intra-site link from a site server to a client, all of the bandwidth could be consumed, effectively excluding other traffic from that link. This can be avoided by designing a separate local site for those clients. If clients are separated from the site by slow links, design additional local sites for those clients.International languages. Many organizations that operate internationally or across linguistic barriers must support multiple languages on their site systems and clients. Each localized site server supports only certain localized clients. Confirm whether the planned sites will support the localized clients by referring to the information at . If the sites will not support localized clients, design additional anization. There may be reasons for separating a group of clients into a different site, such as when a newly acquired company is being integrated or when a part of the organization is being divested. Record the number of sites required in Appendix B: “Number of Configuration Manager Sites and Hierarchies Requirements Job Aid.” For each site, record the clients that will be included in the site.Proceed to Step 4 to design the sites. Step Summary In Step 3, the number of sites required for the project was determined. It was recommended that one site be selected to begin with, and to add more sites only if necessary.This information will be used in Step 4 to design the sites. Additional ReadingConfiguration Manager Site Capacity Planning: and Deploying Your Multilingual Site Hierarchy: 4: Design the Sites Now that the number of sites has been determined, the site systems will be designed in this step, including determining the number of servers to be located in each site and the form factor of those servers. Start by referring to “Configuration Manager Site Capacity Planning” at to understand the support limits for the scale of the site servers and some of the roles. Each site will be designed within these limits. This step must be repeated for each site that was listed in Step 4. The sites will then be grouped into hierarchies in Step 6.Task 1: Plan the Required Roles Refer to Step 2 for the site roles that are required. For each role, compare the number of clients that will use it against the scale limits for the role. Record the selections for each site in Appendix B.Table 6. Required Site System RolesRoleDescriptionScale LimitsMinimum Number RequiredSMS ProviderThe interface between the Configuration Manager console and the site database. It cannot be installed on a clustered SQL Server database server or on the same computer as the SMS Provider for another site.Scales to site capacity, which is 100,000 clients.One per site.Management pointThe primary point of contact between Configuration Manager clients and the Configuration Manager site server. It distributes policy to the clients and receives state messages, status messages, and inventory and discovery data, as well as software usage data from them.Up to 25,000 clients. Up to 25,000 clients supported on one MP. If more clients or redundancy of MPs is required, then up to four MPs in an NLB cluster to support up to 100,000 clients per site.If the server locator point role is required, design it in only one site: the site that will likely become the central site so that it can service all the sites below it in a site hierarchy.Task 2: Plan the Optional Roles Add the optional roles that will be used to the site design. Record the selections for each site in Appendix B.Table 7. Optional Site System RolesRoleDescriptionWhen to Use the RoleScale LimitsMinimum Number Required (if role is used)Server locator pointLocates management points for Configuration Manager clients. Clients are in a workgroup or in a different forest from the site and cannot query their site assignments in Active Directory.Scales to hierarchy capacity, which is 200,000 clients.One per hierarchy. Fallback status pointGathers state messages from clients that cannot install properly, cannot assign to a Configuration Manager site, or cannot communicate securely with their assigned management points. Useful for troubleshooting, particularly at client installation. Receives communications from clients using unsecured HTTP and so represents a security exposure—may be inappropriate in Internet-based sites.Up to 100,000 clients (or one per site).One per site. Reporting pointHosts the site’s reporting Web site. It delivers reports using data from the database to the SMS Provider interface for display in the Web console.If reports are required from Configuration Manager, which will usually be the case.Scales to site capacity, which is 100,000 clients.One per site.Reporting Services pointA site system role assigned to a computer running SQL Server Reporting Services. It provides tools and resources that enable advanced report generation from the Configuration Manager console.If custom reports are required, particularly for use by business users.As site, 100,000 clients.One per site.Task 3: Plan the Feature-Specific Roles The remaining site system roles are feature-specific. Refer to Step 2 where it was determined which roles were relevant to the location. Use this information to select the relevant roles for the site below, and record the selections for each site in Appendix B.Table 8. Feature-Specific Site System RolesRoleDescriptionScale LimitsMinimum Number RequiredSoftware update point (SUP)A site system role that is used to integrate with Windows Server Update Services (WSUS). Up to 25,000 clients. Up to 25,000 clients supported on one SUP. If more clients or redundancy of SUPs is required, then up to four SUPs in an NLB cluster to support up to 100,000 clients per site.Distribution point (DP)Stores package source files for deployment to clients. It can also work as a streamer for App-V sequenced applications.Up to 4,000 clients. One for every 4,000 clients.Branch distribution point (BDP)Stores package source files and is designed to be located in a distributed location with limited network bandwidth or a limited number of clients. It is able to use bandwidth throttling. It can also work as a streamer for App-V sequenced applications.Up to 2,000 connected to each central or primary site. Each BDP can support up to 100 clients. One for each 100 clients in the BDP location.Note: If the BDP runs on a client OS, only 10 Configuration Manager clients can connect to it at one time.Asset Intelligence synchronization point (AISP)Used to synchronize with the external System Center Online Asset Intelligence catalog.One per hierarchy.System Health Validator (SHV)Used with Network Access Protection to provide remediation. Note: Can only run on Windows Server 2008.Up to 100,000 clients (or one per hierarchy if fewer than 100,000 clients).One per hierarchy.Out of band service point (OoBSP)A site system role that discovers, provisions, and manages desktop computers that have management controllers (such as AMT-based computers).Up to 100,000 clients.One per site.PXE service pointInitiates operating system deployments from computers whose network adapter is configured to allow PXE boot requests.Up to 100,000 clients.One per site.State migration point (SMP)Stores user-state data when a new system is built for that user.Up to 100,000 clients.One per site.Task 4: Determine Where to Place Hierarchy RolesIf any of the following roles are required, design each of them in only one site in the hierarchy:The Asset Intelligence service point should be designed in a site that enables it to connect with the external System Center Online database.The System Health Validator point should be designed in a site that allows it to run on Windows Server 2008.The software update point role should be designed so that it can access the Internet in order to synchronize with WSUS.Task 5: Determine Where to Place Primary and Secondary Sites and Branch Distribution PointsSites can be primary or secondary sites or, if the business requirement is to automate software installation, a branch distribution point (BDP) could be used to represent a package distribution site. The intra-site link to a BDP can be bandwidth-throttled and, for that reason, it is treated here like a separate site. No other intra-site links can be bandwidth-throttled. A primary site can include all of the available roles. It requires a site server and a site database. A secondary site can include only a subset of the roles: distribution points, software update points, proxy management point, and clients. Each secondary site requires a site server, but it does not have a database. A secondary site reports up to a primary site and is always a child site; it cannot have children. There can be up to 500 secondary sites per primary site. Each secondary site can have a distribution point that supports 4,000 clients; however, performance may vary depending on the size of the packages.A BDP is a Configuration Manager site system that can be installed on a client machine to store package source files. It is part of a central primary or secondary site. There can be up to 2,000 BDPs per site, each supporting 100 clients. But if the BDP runs on a client operating system, only 10 clients can connect to it at any one time. Note that the BDP, like all site systems, must be within the Active Directory trust boundary.Refer to the business requirements that were determined in Step 1 and to the required roles that were determined in Step 2. If the requirement is for automated software installation using package source files that will be delivered over the network, weigh the characteristics above to determine whether to design a primary site, a secondary site, or a branch distribution point in the location. If the requirement was for a different Configuration Manager function, primary sites will be required.Task 6: Determine If Native Mode Is RequiredA Configuration Manager site can operate in either native mode or mixed mode. It’s important to determine whether native mode is required because a native mode site cannot report up to a mixed mode site in a site hierarchy, so another hierarchy might need to be added to the design. Alternatively, all the sites above this one in the hierarchy must be converted to native mode. Option 1: Native ModeIn native mode, trust is established between clients and servers by exchanging certificates using a public key infrastructure (PKI) for authentication. The PKI can be complex to set up and maintain, but it enables secure management of devices outside the enterprise, such as smartphones. BenefitsThe benefits of deploying a Configuration Manager hierarchy in native mode are:Higher level of security by integrating with a PKI to help protect client-to-server communication.Enables the management of clients that are connected to the Internet, such as laptops used by mobile workers, computers used from an employee’s home, and smartphones.ChallengesThe limitations of deploying Configuration Manager sites in native mode are:A PKI is required.It is estimated that native mode site operations are 10-15 percent slower in overall performance as compared to sites configured to operate in mixed mode because of the added load of encryption and signing. Cannot interoperate with SMS 2003.All parent locations up to and including the central site must be in native mode.Option 2: Mixed ModeIn mixed mode, a trust relationship exists between clients and servers. Mixed mode enables integration of devices that will not be upgraded from the SMS 2003 client. It is also easier to set up, but it does not offer secure communications beyond the trust boundary. BenefitThe benefit of deploying a Configuration Manager hierarchy in mixed mode is:Enables integration with SMS 2003 infrastructure.ChallengeThe limitation of deploying Configuration Manager sites in mixed mode is:Clients on the Internet are not supported.If native mode is required, a PKI must be in place since native mode must use a PKI as part of the authentication process. If a PKI is not in place, it will need to be designed. In that case, it should be determined whether the effort required to design and implement the PKI will be justified for the native mode requirements of the Configuration Manager project.Review the benefits and limitations of native mode compared to mixed mode to decide whether the use of native mode is required.Record the mode for each site in Appendix B. Repeat this step for the next Configuration Manager hierarchy.Task 7: Assign Clients to SitesNow that the site hierarchy and site locations have been decided, clients must be assigned to the primary sites. Note that clients cannot be assigned to secondary sites; secondary sites are used only to store content and (if a proxy management point is in place) to store policy. This is done by defining the site boundaries to include the appropriate clients, making sure to avoid any ambiguity about which site a client is in. When a client is placed within the boundary of a secondary site, it will report up to the parent primary site. Site boundaries can be defined using the following criteria, either alone or in combination:Internet Protocol (IP) subnets. Enables granularity in designing Configuration Manager sites, which can span Active Directory sites.Active Directory site names. This enables a logical site to be created from a number of physical network segments. However, it does create a dependency on Active Directory administration.IPv6 Prefix. Using IPv6 prefixes provides granularity in administration over a very large address range, but it may create a significant administrative burden. IPv4-only systems cannot communicate directly with IPv6-based computers and may require IP translation, such as NAT, to communicate.IP address range. IP address ranges are most useful for clients that access RAS or VPN servers. Because clients connecting to RAS and VPN servers typically have an IP subnet mask of?255.255.255.255, every address is equivalent to a subnet. Decide how to implement site boundaries, and then assign the clients to their respective sites. Record the decision for each site in Appendix B.Task 8: Design the Boundaries of Protected Distribution Point Systems A distribution point can be protected to limit the load on the server and content acquisition by clients. This is done by restricting access to that distribution point to only certain clients within a site. A special boundary is set up for the protected distribution point within the site boundary. Review the site boundaries that were designed in the previous task to determine whether a distribution point must be protected and, if so, design additional distribution points in the next task to service the site clients that will be beyond its boundaries. Where client populations within a site are separated by lower-speed WAN links, it may appear attractive to design a protected distribution point in each of the separated populations to service just that population. This has the advantage that the protected distribution point is local to its clients, but such distribution points must themselves be populated with packages, which would then flow across the WAN links within the site. Since it’s not possible to throttle the bandwidth on intra-site links, a better design would be to place each of these groups of clients in a separate site, as discussed in Step 3. Task 9: Design the Site SystemsNow that the demand on the required roles has been determined, the roles can be mapped onto one or more site servers. Working within the support limits shown above, start by reviewing the product group’s recommendations so that these can be applied to the design as appropriate.Product Group RecommendationsThere is no architectural guidance available for designing the site systems, so the Configuration Manager product group recommendations for site infrastructure design are provided below: For site servers that manage a large number of assigned clients, use an eight-core machine with the fastest possible CPU and 16 GB of memory.Configuration Manager SP1 with R2 is a 32-bit application, and 64-bit hardware does not deliver additional benefits.Configuration?Manager has been designed to effectively maximize overall CPU processing. It is not unusual to see 85 percent or greater CPU usage on Configuration?Manager site servers.The use of virtual computer site systems for Configuration Manager sites that must process a large amount of data is not recommended.Use separate storage volumes on the site server for:Operating system.Configuration Manager installation directory.Site and site database backup storage.Volume Shadow Copy Service (VSS) storage association for shadow copy temporary storage of the site and site database backup snapshots.Separate the site server and the site server database roles onto different computers.Use separate storage volumes on the site server for:SQL Server tempdb database.SQL Server database logs.SQL Server database.For best performance, the SQL Server tempdb database should be divided into a number of files corresponding to half the number of processors installed on the SQL Server-based computer. When the tempdb SQL Server database is installed using only one file, collisions with multiple processors might occur. If the management point has been set up in an NLB configuration, it should be configured to access a replicated site database hosted by a different SQL Server instance than the actual site database. Using NLB site systems to access a replicated SQL Server site database reduces the load on the site database and improves site performance. If the default management point is configured as an NLB and configured to access the site database directly, it will cause degraded site server performance. All the roles can co-exist together on the site server, but that may not be the best design. The fallback status point role always uses unauthenticated HTTP in clear text to communicate with clients, even if the site is in native mode. For this reason, the fallback status point role represents a security exposure. The Configuration Manager product group recommends that if used, it should be hosted on a separate server that does not host any other roles in order to reduce the potential attack surface. It also makes sense to separate the fallback status point from the management point (MP). Clients contact the fallback status point (FSP) if they are unable to contact the MP. When both roles are on the same server, failure of that server may orphan the client without recording any troubleshooting data. Details of the implementation on which these above recommendations are based are available in the following performance white papers:“System Center Configuration Manager 2007: Sample Configurations and Common Performance Related Questions” available at “Configuring Configuration Manager Sites for Best Performance,” available at and Place the Site ServerThe site server defines the site. It is the first server that is instantiated in the site and may be the only server in the site. If all the required roles will be hosted on the site server, proceed to the next section to design the form factor of the server. If some of the roles will be offloaded onto different servers within the site, add those to the site design and proceed to design the form factor for those servers. Since there is no architecture guidance available on the performance characteristics of each role, proceed with caution and ideally set up a test environment in which the performance of the site can be modeled.Form FactorPerformance testing has been completed by the Configuration Manager product group for a number of sample configurations, and this is available at . However, there are many variables that can affect the required size of the server and its performance, including options to throttle the rate at which packages are distributed to clients and the rate at which inventory information is collected from the clients. In the absence of architectural guidance, proceed with caution, selecting a form factor that is initially small and can grow. If possible, set up a test environment on a small scale to model the site’s behavior in the production environment. If System Center Operations Manager is available, use the Management Pack for Configuration Manager to monitor the performance of this test environment. Then deploy on an increasingly larger scale and measure, learn, and adjust at each deployment.Task 10: Determine the Fault-Tolerance ApproachRefer to the requirements for availability and performance that were determined in Step?1. Performance is important here, just on a different scale, since “response time” can be measured in days. Use these requirements to first determine whether fault tolerance is required at all and, if so, what level of fault tolerance should be planned.The following fault-tolerance options are available within sites: The SQL Server database can be placed into a Microsoft Cluster Server (MSCS) cluster.Management points can use Network Load Balancing (NLB).The software update point (SUP) can use NLB, with either an active or non-active (warm spare) SUP.WSUS can use NLB.Record the roles for which fault tolerance will be used in Appendix B.Step Summary In Step 4 the sites were designed.The output of Step 4 is:The required roles were designed and placed in primary and secondary sites.The optional and feature-specific roles were designed and placed.A determination was made about where to place hierarchy roles.A determination was made for each site’s security mode.The site boundaries were designed to assign clients to their sites.The boundaries of protected distribution point systems were designed.The site systems were then designed.The fault tolerance approach was determined.This step must be repeated for each site that is required. This information will be used in Step 5 to determine the number of hierarchies.Additional ReadingConfiguration Manager Site Capacity Planning: Configuration Manager Sites for Best Performance: Configuration Recommendations: Practices for Central and Primary Site Hardware and Software Configuration: Configuration Manager Performance: Center Configuration Manager 2007: Sample Configurations and Common Performance Related Questions: Mobile Device Management: Considerations When Designing Configuration Manager Sites: Server Resource Usage for Configuration Manager Sites: If a Proxy Management Point is Needed at a Secondary Site: If You Should Install a Fallback Status Point for Configuration Manager Clients: System Center Configuration Manager 2007 Management Pack for Microsoft System Center Operations Manager 2007: Configuration Manager Sites: Manager Site Capacity Planning: Configuration Manager Boundaries: between Native Mode and Mixed Mode: for Branch Distribution Points: 5: Determine the Number of Hierarchies RequiredA Configuration Manager hierarchy consists of a central site and, optionally, one or more primary and secondary sites. A hierarchy also includes all the clients within the boundaries of those sites. In this step, the number of hierarchies is determined so that the required sites can be placed into the appropriate hierarchies in Step 6.Task 1: Determine the Number of HierarchiesStart with one hierarchy and add more hierarchies, only if necessary. Additional hierarchies could be required in the following scenarios:Size. The maximum size of a Configuration Manager hierarchy is 200,000 clients. Refer to Step 1 where the number of clients included in the scope of the project was determined. Compare the number of clients with the scale limit. Add more hierarchies if the limit is exceeded.Central site is mixed mode and native mode is required. When the central site will be mixed mode, perhaps because a PKI cannot easily be implemented there but one or more native mode sites are required, an additional Configuration Manager hierarchy will be required. A native mode site cannot report up to a mixed mode site. Remember that native mode is a requirement for Internet-based client management.Isolated networks. Networks in which clients need to be managed but cannot be connected to any of the planned sites will require an additional Configuration Manager hierarchy. For example, when a client is on an isolated lab network and requires software updates, an additional hierarchy is required. Examine each of the locations that are in scope for the project to identify any isolated networks there.Politics. Different groups within the organization might each require their own hierarchies. For each location, record any requirement for a separate hierarchy driven by political considerations.Regulatory requirements. Regulatory requirements can require total separation of an environment from other environments. Examine each location and record any regulatory requirements that will require the design of additional hierarchies.Record the hierarchies required in Appendix B. Step Summary This step explained that a Configuration Manager hierarchy consists of a central site and, optionally, one or more primary and secondary sites, and that a hierarchy also includes all the clients within the boundaries of those sites. The scenarios that require more than one hierarchy were listed.The output of Step 5 is:The number of Configuration Manager hierarchies required for this project was recorded in Appendix B.This information will be used in Step 6 to design each site hierarchy.Step 6: Design Each HierarchyIn Step 5, the number of hierarchies was determined. Configuration Manager has three types of sites: central, primary, and secondary. A primary site reports up to a central site or another primary site, and if secondary sites are required, they will report up to a primary site or the central site. In this step, the site hierarchy will be designed. There are no published limits to the number of sites that can be in one hierarchy.Refer to Figure 1: “Configuration Manager architecture” in the introduction section of this guide to see one possible site hierarchy implementation.Task 1: Determine Where to Place the Central SiteIf there’s only one site in the hierarchy, it is a central site. A central site requires a site server and a site database. It replicates much of the data from the primary sites that are below it. Place the central site in the location where the best administrative skills and network connections are available.When there are more than 100,000 clients in the hierarchy, the Configuration Manager product group recommends that clients not be assigned to the central site. Assign them instead to primary or secondary sites so that the central site may provide better performance for centralized administration, as well as rollup and reporting of inventory, status, and compliance data.Task 2: Plan the Site HierarchyAll the sites have been defined, along with their locations. Next, the site connections must be designed within the hierarchy. The hierarchy can be deep or wide. Try to limit the depth of the hierarchy to as few tiers as possible because each parent site will hold a replica of much of the data in the databases for all its children. In a deep hierarchy with grandchildren, or even great grandchildren, this will create significant duplication of data in databases that are likely already under heavy load.Record the relationships between sites in the hierarchy in Appendix B.Step Summary In this step, each hierarchy was designed. The location of the central site was determined, and the remaining sites were connected to each other.Repeat this entire step for each hierarchy.ConclusionThis guide has summarized the critical design decisions, activities, and tasks required to enable a successful design of Configuration Manager. It focused on decisions involving:Which Configuration Manager roles will be required.The server roles, role placement, databases, and connectivity of the Configuration Manager infrastructure.The number of Configuration Manager hierarchies required, and how many sites are required within each hierarchy. This was done by leading the reader through the six steps in the decision flow to arrive at a successful design. Where appropriate, the decisions and tasks have been illustrated with typical usage scenarios.As stated in the introduction, it is very important at the start of a Configuration Manager project to have a full understanding of the business objectives for the project by answering the following questions:What benefits does the business expect to achieve through the use of Configuration Manager?What is the value of those benefits and, therefore, the cost case for using Configuration Manager to deliver those benefits?The business objectives should be prioritized at the start of the project so that they are clearly understood and agreed upon between IT and the business. When an architecture has been drafted, limited pilot tests should be conducted before a major rollout begins so that lessons learned can be incorporated back into the design.This guide, when used in conjunction with product documentation, allows organizations to confidently plan the implementation of Configuration Manager.FeedbackPlease direct questions and comments about this guide to satfdbk@.Appendix A: Client Population Job AidUse the table below to record the parts of the organization that are in scope for the project. Table A-1. Deployment ScopeEntire Enterprise, Hub, or Satellite?List Hub or Satellite SitesUse the table below to record the connection characteristics of clients that are in scope for the project. Table A-2. Client Population AssessmentClient LocationDevice TypeSecurity BoundaryConnection Type (LAN/WAN Dial-up/VPN)Always ConnectedSometimes ConnectedNever ConnectedUse the table below to record stakeholders’ expectations of the service levels to be delivered by the infrastructure. Table A-3. Service ExpectationsStakeholderFunctionAgreed-Upon Service ExpectationAppendix B: Number of Configuration Manager Sites and Hierarchies Requirements Job AidUse a table like the one below to design each required hierarchy. Table B-1. Required Sites and Hierarchies SiteReason RequiredSite ModeRoles and Whether Fault TolerantBoundary TypeClientsHierarchyReason RequiredAcknowledgmentsThe Solution Accelerators–Manager and Infrastructure (SA-MI) team acknowledges and thanks the people who produced the Infrastructure Planning and Design Series guide: Microsoft System Center Configuration Manager 2007 SP1 with R2. The following people were either directly responsible for or made a substantial contribution to the writing, development, and testing of this guide. Contributors:Jude Chosnyk—GrandMastersTerry Matthews—GrandMastersEric Orman—MicrosoftFergus Stewart—MicrosoftReviewers:Edo Jorritsma—CapgeminiMichael Kaczmarek—MicrosoftUdo Karten—CapgeminiRobin Maher—MicrosoftWally Mead—MicrosoftMichael Niehaus—MicrosoftAbhishek Pathak—Microsoft Josh Pointer—MicrosoftPrzemek (Shem) Radzikowski—MicrosoftJeroen van Reijmersdaal—CapgeminiMartin Ruiter—CapgeminiMelissa Stowe—MicrosoftRon Thomas—GrandMastersArthur van den Berg—CapgeminiEditors:Laurie Dunham—MicrosoftPat Rytkonen—Volt Technical Services ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download